openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity

Use an enum for the return value from a construction function 

Construction return values are no longer boolean but can return 3 different
values, so we use an enum to represent them.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18990)
This commit is contained in:
Matt Caswell 2022-08-12 13:27:21 +01:00 committed by Hugo Landau
parent 3e93c5fe1e
commit 67ec6d2b74
7 changed files with 162 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ssl/statem/statem.c
View File

@ -806,11 +806,11 @@ static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s)
WORK_STATE(*pre_work) (SSL_CONNECTION *s, WORK_STATE wst);
WORK_STATE(*post_work) (SSL_CONNECTION *s, WORK_STATE wst);
int (*get_construct_message_f) (SSL_CONNECTION *s,
int (**confunc) (SSL_CONNECTION *s,
WPACKET *pkt),
CON_FUNC_RETURN (**confunc) (SSL_CONNECTION *s,
WPACKET *pkt),
int *mt);
void (*cb) (const SSL *ssl, int type, int val) = NULL;
int (*confunc) (SSL_CONNECTION *s, WPACKET *pkt);
CON_FUNC_RETURN (*confunc) (SSL_CONNECTION *s, WPACKET *pkt);
int mt;
WPACKET pkt;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
@ -889,14 +889,14 @@ static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s)
return SUB_STATE_ERROR;
}
if (confunc != NULL) {
int tmpret;
CON_FUNC_RETURN tmpret;
tmpret = confunc(s, &pkt);
if (tmpret <= 0) {
if (tmpret == CON_FUNC_ERROR) {
WPACKET_cleanup(&pkt);
check_fatal(s);
return SUB_STATE_ERROR;
} else if (tmpret == 2) {
} else if (tmpret == CON_FUNC_DONT_SEND) {
/*
* The construction function decided not to construct the
* message after all and continue. Skip sending.

6
ssl/statem/statem.h
View File

@ -80,6 +80,12 @@ typedef enum {
ENC_WRITE_STATE_WRITE_PLAIN_ALERTS
} ENC_WRITE_STATES;
typedef enum {
CON_FUNC_ERROR = 0,
CON_FUNC_SUCCESS,
CON_FUNC_DONT_SEND
} CON_FUNC_RETURN;
/*****************************************************************************
* *
* This structure should be considered "opaque" to anything outside of the *

64
ssl/statem/statem_clnt.c
View File

@ -1098,7 +1098,7 @@ WORK_STATE ossl_statem_client_post_process_message(SSL_CONNECTION *s,
}
}
int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
{
unsigned char *p;
size_t sess_id_len;
@ -1114,7 +1114,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
protverr = ssl_set_client_hello_version(s);
if (protverr != 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr);
return 0;
return CON_FUNC_ERROR;
}
if (sess == NULL
@ -1123,7 +1123,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
if (s->hello_retry_request == SSL_HRR_NONE
&& !ssl_get_new_session(s, 0)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
}
/* else use the pre-loaded session */
@ -1150,7 +1150,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random),
DOWNGRADE_NONE) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
/*-
@ -1189,7 +1189,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
if (!WPACKET_put_bytes_u16(pkt, s->client_version)
|| !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
/* Session ID */
@ -1204,7 +1204,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
&& RAND_bytes_ex(sctx->libctx, s->tmp_session_id,
sess_id_len, 0) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
} else {
sess_id_len = 0;
@ -1222,7 +1222,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
sess_id_len))
|| !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
/* cookie stuff for DTLS */
@ -1231,30 +1231,30 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
|| !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
s->d1->cookie_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
}
/* Ciphers supported */
if (!WPACKET_start_sub_packet_u16(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)),
pkt)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
if (!WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
/* COMPRESSION */
if (!WPACKET_start_sub_packet_u8(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
#ifndef OPENSSL_NO_COMP
if (ssl_allow_compression(s)
@ -1266,7 +1266,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
comp = sk_SSL_COMP_value(sctx->comp_methods, i);
if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
}
}
@ -1274,16 +1274,16 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
/* Add the NULL method */
if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
/* TLS extensions */
if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
return 1;
return CON_FUNC_SUCCESS;
}
MSG_PROCESS_RETURN dtls_process_hello_verify(SSL_CONNECTION *s, PACKET *pkt)
@ -3315,7 +3315,8 @@ static int tls_construct_cke_srp(SSL_CONNECTION *s, WPACKET *pkt)
#endif
}
int tls_construct_client_key_exchange(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_client_key_exchange(SSL_CONNECTION *s,
WPACKET *pkt)
{
unsigned long alg_k;
@ -3352,7 +3353,7 @@ int tls_construct_client_key_exchange(SSL_CONNECTION *s, WPACKET *pkt)
goto err;
}
return 1;
return CON_FUNC_SUCCESS;
err:
OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen);
s->s3.tmp.pms = NULL;
@ -3362,7 +3363,7 @@ int tls_construct_client_key_exchange(SSL_CONNECTION *s, WPACKET *pkt)
s->s3.tmp.psk = NULL;
s->s3.tmp.psklen = 0;
#endif
return 0;
return CON_FUNC_ERROR;
}
int tls_client_key_exchange_post_work(SSL_CONNECTION *s)
@ -3538,7 +3539,8 @@ WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst)
return WORK_ERROR;
}
int tls_construct_client_certificate(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s,
WPACKET *pkt)
{
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
@ -3547,18 +3549,18 @@ int tls_construct_client_certificate(SSL_CONNECTION *s, WPACKET *pkt)
/* no context available, add 0-length context */
if (!WPACKET_put_bytes_u8(pkt, 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
} else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
}
if (!ssl3_output_cert_chain(s, pkt,
(s->s3.tmp.cert_req == 2) ? NULL
: s->cert->key)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
if (SSL_CONNECTION_IS_TLS13(s)
@ -3570,10 +3572,10 @@ int tls_construct_client_certificate(SSL_CONNECTION *s, WPACKET *pkt)
* state and thus ssl3_send_alert may crash.
*/
SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER);
return 0;
return CON_FUNC_ERROR;
}
return 1;
return CON_FUNC_SUCCESS;
}
int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s)
@ -3620,7 +3622,7 @@ int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s)
}
#ifndef OPENSSL_NO_NEXTPROTONEG
int tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt)
{
size_t len, padding_len;
unsigned char *padding = NULL;
@ -3631,12 +3633,12 @@ int tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt)
if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
|| !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
memset(padding, 0, padding_len);
return 1;
return CON_FUNC_SUCCESS;
}
#endif
@ -3820,14 +3822,14 @@ int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk,
return 1;
}
int tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt)
{
if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
&& s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
return CON_FUNC_ERROR;
}
s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
return 1;
return CON_FUNC_SUCCESS;
}

7
ssl/statem/statem_dtls.c
View File

@ -927,18 +927,19 @@ static int dtls_get_reassembled_message(SSL_CONNECTION *s, int *errtype,
* ssl->session->read_compression assign
* ssl->session->read_hash assign
*/
int dtls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN dtls_construct_change_cipher_spec(SSL_CONNECTION *s,
WPACKET *pkt)
{
if (s->version == DTLS1_BAD_VER) {
s->d1->next_handshake_write_seq++;
if (!WPACKET_put_bytes_u16(pkt, s->d1->handshake_write_seq)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
}
return 1;
return CON_FUNC_SUCCESS;
}
#ifndef OPENSSL_NO_SCTP

32
ssl/statem/statem_lib.c
View File

@ -268,7 +268,7 @@ static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs,
return 1;
}
int tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt)
{
EVP_PKEY *pkey = NULL;
const EVP_MD *md = NULL;
@ -386,11 +386,11 @@ int tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt)
OPENSSL_free(sig);
EVP_MD_CTX_free(mctx);
return 1;
return CON_FUNC_SUCCESS;
err:
OPENSSL_free(sig);
EVP_MD_CTX_free(mctx);
return 0;
return CON_FUNC_ERROR;
}
MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt)
@ -561,7 +561,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt)
return ret;
}
int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
{
size_t finish_md_len;
const char *sender;
@ -582,7 +582,7 @@ int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
&& (!ssl->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
if (s->server) {
@ -598,14 +598,14 @@ int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
s->s3.tmp.finish_md);
if (finish_md_len == 0) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
s->s3.tmp.finish_md_len = finish_md_len;
if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
/*
@ -616,7 +616,7 @@ int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
&& !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key,
s->session->master_key_length)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
/*
@ -624,7 +624,7 @@ int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
*/
if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
if (!s->server) {
memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
@ -636,18 +636,18 @@ int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
s->s3.previous_server_finished_len = finish_md_len;
}
return 1;
return CON_FUNC_SUCCESS;
}
int tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt)
{
if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
s->key_update = SSL_KEY_UPDATE_NONE;
return 1;
return CON_FUNC_SUCCESS;
}
MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt)
@ -896,14 +896,14 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt)
return MSG_PROCESS_FINISHED_READING;
}
int tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt)
{
if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
return 1;
return CON_FUNC_SUCCESS;
}
/* Add a certificate to the WPACKET */

53
ssl/statem/statem_local.h
View File

@ -54,7 +54,7 @@ typedef enum {
MSG_PROCESS_CONTINUE_READING
} MSG_PROCESS_RETURN;
typedef int (*confunc_f) (SSL_CONNECTION *s, WPACKET *pkt);
typedef CON_FUNC_RETURN (*confunc_f) (SSL_CONNECTION *s, WPACKET *pkt);
int ssl3_take_mac(SSL_CONNECTION *s);
int check_in_list(SSL_CONNECTION *s, uint16_t group_id, const uint16_t *groups,
@ -111,11 +111,13 @@ __owur int tls_process_initial_server_flight(SSL_CONNECTION *s);
__owur MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL_CONNECTION *s,
PACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt);
__owur int tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt);
__owur int dtls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_change_cipher_spec(SSL_CONNECTION *s,
WPACKET *pkt);
__owur CON_FUNC_RETURN dtls_construct_change_cipher_spec(SSL_CONNECTION *s,
WPACKET *pkt);
__owur int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt);
__owur int tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s,
PACKET *pkt);
__owur WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, WORK_STATE wst,
@ -123,7 +125,8 @@ __owur WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, WORK_STATE wst,
__owur WORK_STATE dtls_wait_for_dry(SSL_CONNECTION *s);
/* some client-only functions */
__owur int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s,
WPACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s,
PACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s,
@ -135,16 +138,20 @@ __owur MSG_PROCESS_RETURN tls_process_cert_status(SSL_CONNECTION *s,
PACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_server_done(SSL_CONNECTION *s,
PACKET *pkt);
__owur int tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_cert_verify(SSL_CONNECTION *s,
WPACKET *pkt);
__owur WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s,
WORK_STATE wst);
__owur int tls_construct_client_certificate(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s,
WPACKET *pkt);
__owur int ssl_do_client_cert_cb(SSL_CONNECTION *s, X509 **px509,
EVP_PKEY **ppkey);
__owur int tls_construct_client_key_exchange(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_client_key_exchange(SSL_CONNECTION *s,
WPACKET *pkt);
__owur int tls_client_key_exchange_post_work(SSL_CONNECTION *s);
__owur int tls_construct_cert_status_body(SSL_CONNECTION *s, WPACKET *pkt);
__owur int tls_construct_cert_status(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_cert_status(SSL_CONNECTION *s,
WPACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s,
PACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s,
@ -153,23 +160,30 @@ __owur WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s,
WORK_STATE wst);
__owur int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s);
#ifndef OPENSSL_NO_NEXTPROTONEG
__owur int tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt);
#endif
__owur MSG_PROCESS_RETURN tls_process_hello_req(SSL_CONNECTION *s, PACKET *pkt);
__owur MSG_PROCESS_RETURN dtls_process_hello_verify(SSL_CONNECTION *s, PACKET *pkt);
__owur int tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_end_of_early_data(SSL_CONNECTION *s,
WPACKET *pkt);
/* some server-only functions */
__owur MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s,
PACKET *pkt);
__owur WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s,
WORK_STATE wst);
__owur int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt);
__owur int dtls_construct_hello_verify_request(SSL_CONNECTION *s, WPACKET *pkt);
__owur int tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt);
__owur int tls_construct_server_key_exchange(SSL_CONNECTION *s, WPACKET *pkt);
__owur int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt);
__owur int tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s,
WPACKET *pkt);
__owur CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s,
WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_server_certificate(SSL_CONNECTION *s,
WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s,
WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s,
WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_server_done(SSL_CONNECTION *s,
WPACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s,
PACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL_CONNECTION *s,
@ -182,7 +196,8 @@ __owur MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s,
__owur MSG_PROCESS_RETURN tls_process_next_proto(SSL_CONNECTION *s,
PACKET *pkt);
#endif
__owur int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt);
__owur CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s,
WPACKET *pkt);
MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL_CONNECTION *s,
PACKET *pkt);

121
ssl/statem/statem_srvr.c
View File

@ -43,7 +43,8 @@ ASN1_SEQUENCE(GOST_KX_MESSAGE) = {
IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
static int tls_construct_encrypted_extensions(SSL_CONNECTION *s, WPACKET *pkt);
static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s,
WPACKET *pkt);
/*
* ossl_statem_server13_read_transition() encapsulates the logic for the allowed
@ -1291,7 +1292,8 @@ int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
return 1;
}
int dtls_construct_hello_verify_request(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s,
WPACKET *pkt)
{
unsigned int cookie_leni;
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
@ -1301,17 +1303,17 @@ int dtls_construct_hello_verify_request(SSL_CONNECTION *s, WPACKET *pkt)
&cookie_leni) == 0
|| cookie_leni > DTLS1_COOKIE_LENGTH) {
SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
return 0;
return CON_FUNC_ERROR;
}
s->d1->cookie_len = cookie_leni;
if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
s->d1->cookie_len)) {
SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
return 1;
return CON_FUNC_SUCCESS;
}
/*-
@ -2318,7 +2320,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst)
return WORK_ERROR;
}
int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
{
int compm;
size_t sl, len;
@ -2338,7 +2340,7 @@ int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
? hrrrandom : s->s3.server_random,
SSL3_RANDOM_SIZE)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
/*-
@ -2374,7 +2376,7 @@ int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
if (sl > sizeof(s->session->session_id)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
/* set up the compression method */
@ -2392,7 +2394,7 @@ int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
pkt, &len)
|| !WPACKET_put_bytes_u8(pkt, compm)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
if (!tls_construct_extensions(s, pkt,
@ -2403,7 +2405,7 @@ int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
: SSL_EXT_TLS1_2_SERVER_HELLO),
NULL, 0)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
if (s->hello_retry_request == SSL_HRR_PENDING) {
@ -2418,29 +2420,30 @@ int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
*/
if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
} else if (!(s->verify_mode & SSL_VERIFY_PEER)
&& !ssl3_digest_cached_records(s, 0)) {
/* SSLfatal() already called */;
return 0;
return CON_FUNC_ERROR;
}
return 1;
return CON_FUNC_SUCCESS;
}
int tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt)
{
if (!s->s3.tmp.cert_request) {
if (!ssl3_digest_cached_records(s, 0)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
}
return 1;
return CON_FUNC_SUCCESS;
}
int tls_construct_server_key_exchange(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s,
WPACKET *pkt)
{
EVP_PKEY *pkdh = NULL;
unsigned char *encodedPoint = NULL;
@ -2453,7 +2456,8 @@ int tls_construct_server_key_exchange(SSL_CONNECTION *s, WPACKET *pkt)
EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
EVP_PKEY_CTX *pctx = NULL;
size_t paramlen, paramoffset;
int freer = 0, ret = 0;
int freer = 0;
CON_FUNC_RETURN ret = CON_FUNC_ERROR;
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
if (!WPACKET_get_total_written(pkt, &paramoffset)) {
@ -2735,7 +2739,7 @@ int tls_construct_server_key_exchange(SSL_CONNECTION *s, WPACKET *pkt)
OPENSSL_free(tbs);
}
ret = 1;
ret = CON_FUNC_SUCCESS;
err:
EVP_PKEY_free(pkdh);
OPENSSL_free(encodedPoint);
@ -2749,7 +2753,8 @@ int tls_construct_server_key_exchange(SSL_CONNECTION *s, WPACKET *pkt)
return ret;
}
int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s,
WPACKET *pkt)
{
if (SSL_CONNECTION_IS_TLS13(s)) {
/* Send random context when doing post-handshake auth */
@ -2759,24 +2764,24 @@ int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt)
if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) {
s->pha_context_len = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
s->pha_context, s->pha_context_len, 0) <= 0
|| !WPACKET_sub_memcpy_u8(pkt, s->pha_context,
s->pha_context_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
/* reset the handshake hash back to just after the ClientFinished */
if (!tls13_restore_handshake_digest_for_pha(s)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
} else {
if (!WPACKET_put_bytes_u8(pkt, 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
}
@ -2784,7 +2789,7 @@ int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt)
SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
0)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
goto done;
}
@ -2793,7 +2798,7 @@ int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt)
if (!WPACKET_start_sub_packet_u8(pkt)
|| !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
if (SSL_USE_SIGALGS(s)) {
@ -2805,19 +2810,19 @@ int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt)
|| !tls12_copy_sigalgs(s, pkt, psigs, nl)
|| !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
}
if (!construct_ca_names(s, get_ca_names(s), pkt)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
done:
s->certreqs_sent++;
s->s3.tmp.cert_request = 1;
return 1;
return CON_FUNC_SUCCESS;
}
static int tls_process_cke_psk_preamble(SSL_CONNECTION *s, PACKET *pkt)
@ -3628,13 +3633,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s,
return ret;
}
int tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt)
{
CERT_PKEY *cpk = s->s3.tmp.cert;
if (cpk == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
/*
@ -3643,14 +3648,14 @@ int tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt)
*/
if (SSL_CONNECTION_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
return CON_FUNC_ERROR;
}
if (!ssl3_output_cert_chain(s, pkt, cpk)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
return 1;
return CON_FUNC_SUCCESS;
}
static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt,
@ -3696,13 +3701,10 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt,
return 1;
}
/*
* Returns 1 on success, 0 to abort construction of the ticket (non-fatal), or
* -1 on fatal error
*/
static int construct_stateless_ticket(SSL_CONNECTION *s, WPACKET *pkt,
uint32_t age_add,
unsigned char *tick_nonce)
static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s,
WPACKET *pkt,
uint32_t age_add,
unsigned char *tick_nonce)
{
unsigned char *senc = NULL;
EVP_CIPHER_CTX *ctx = NULL;
@ -3715,7 +3717,8 @@ static int construct_stateless_ticket(SSL_CONNECTION *s, WPACKET *pkt,
SSL_CTX *tctx = s->session_ctx;
unsigned char iv[EVP_MAX_IV_LENGTH];
unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
int iv_len, ok = -1;
int iv_len;
CON_FUNC_RETURN ok = CON_FUNC_ERROR;
size_t macoffset, macendoffset;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
@ -3804,7 +3807,7 @@ static int construct_stateless_ticket(SSL_CONNECTION *s, WPACKET *pkt,
* ticket
*/
if (SSL_CONNECTION_IS_TLS13(s)) {
ok = 0;
ok = CON_FUNC_DONT_SEND;
goto err;
}
/* Put timeout and length */
@ -3816,7 +3819,7 @@ static int construct_stateless_ticket(SSL_CONNECTION *s, WPACKET *pkt,
OPENSSL_free(senc);
EVP_CIPHER_CTX_free(ctx);
ssl_hmac_free(hctx);
return 1;
return CON_FUNC_SUCCESS;
}
if (ret < 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
@ -3893,7 +3896,7 @@ static int construct_stateless_ticket(SSL_CONNECTION *s, WPACKET *pkt,
goto err;
}
ok = 1;
ok = CON_FUNC_SUCCESS;
err:
OPENSSL_free(senc);
EVP_CIPHER_CTX_free(ctx);
@ -3934,7 +3937,7 @@ static void tls_update_ticket_counts(SSL_CONNECTION *s)
s->ext.extra_tickets_expected--;
}
int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt)
{
SSL_CTX *tctx = s->session_ctx;
unsigned char tick_nonce[TICKET_NONCE_SIZE];
@ -3942,7 +3945,7 @@ int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt)
unsigned char age_add_c[sizeof(uint32_t)];
uint32_t age_add;
} age_add_u;
int ret = 0;
CON_FUNC_RETURN ret = CON_FUNC_ERROR;
age_add_u.age_add = 0;
@ -4042,13 +4045,14 @@ int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt)
goto err;
}
} else {
int tmpret;
CON_FUNC_RETURN tmpret;
tmpret = construct_stateless_ticket(s, pkt, age_add_u.age_add,
tick_nonce);
if (tmpret != 1) {
if (tmpret == 0) {
ret = 2; /* Non-fatal. Abort construction but continue */
if (tmpret != CON_FUNC_SUCCESS) {
if (tmpret == CON_FUNC_DONT_SEND) {
/* Non-fatal. Abort construction but continue */
ret = CON_FUNC_DONT_SEND;
/* We count this as a success so update the counts anwyay */
tls_update_ticket_counts(s);
}
@ -4068,7 +4072,7 @@ int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt)
ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
}
ret = 1;
ret = CON_FUNC_SUCCESS;
err:
return ret;
}
@ -4089,14 +4093,14 @@ int tls_construct_cert_status_body(SSL_CONNECTION *s, WPACKET *pkt)
return 1;
}
int tls_construct_cert_status(SSL_CONNECTION *s, WPACKET *pkt)
CON_FUNC_RETURN tls_construct_cert_status(SSL_CONNECTION *s, WPACKET *pkt)
{
if (!tls_construct_cert_status_body(s, pkt)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
return 1;
return CON_FUNC_SUCCESS;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
@ -4135,15 +4139,16 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL_CONNECTION *s, PACKET *pkt)
}
#endif
static int tls_construct_encrypted_extensions(SSL_CONNECTION *s, WPACKET *pkt)
static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s,
WPACKET *pkt)
{
if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
NULL, 0)) {
/* SSLfatal() already called */
return 0;
return CON_FUNC_ERROR;
}
return 1;
return CON_FUNC_SUCCESS;
}
MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL_CONNECTION *s, PACKET *pkt)